An exploit that fetched a teenage hacker a $60,000 bounty targeted six different security bugs to break out of the security sandbox fortifying Google's Chrome browser.

The extreme lengths taken in March by a hacker identified only as Pinkie Pie underscore the difficulty of piercing this safety perimeter. Google developers have erected their sandbox to separate Web content from sensitive operating-system functions, such as the ability to read and write files to a hard drive. Such sandboxes are designed to minimize the damage that can be done when attackers identify and exploit buffer overflows and other types of software bugs that inevitably find their way into complex bodies of code.

Pinkie Pie's attack came during Pwnium, a contest that awarded $60,000 prizes to hackers who successfully broke out of the protective barrier by exploiting only vulnerabilities residing in code that is native to the Google browser. The teenager was one of only two contestants to win the top prize. He did it after executing a custom-written Netscape Plugin Application Programming Interface directly on a Dell Inspiron laptop that ran a fully patched version of Chrome on a fully patched version of Microsoft's Windows 7 operating system. Google patched the severest of the vulnerabilities within 24 hours of them being exploited.

According to technical details Google published Tuesday, Pinkie Pie's odyssey began by exploiting a bug in a prerendering engine that helps Chrome work faster by gathering clues about webpages before they're loaded. By combining the attack with a second one that exploited a separate bug, he was able to inject a tiny, eight-byte address into a highly restricted section of the browser that processes commands sent to graphics cards.

By guessing some predictable addresses allocated by Windows, he was able to execute the snippet using a technique known as return-oriented programming, which extracts pieces of code present in executable memory areas and rearranges them to form a malicious payload. Although graphics processes are sandboxed, their restrictions are more permissive than the parts of Chrome that render HTML and Native Client processes. That allowed the hacker to tap Chrome's inter-process communications channel—which allows different parts of the browser to work together—and exploit two additional bugs described here and here. They allowed his code to gain additional privileges so it could access the part of Chrome that runs NPAPI plugins. (Note: To keep similar bugs from being exploited in other programs, Google is delaying the disclosure of some details. Some of these links may not work immediately.)

By exploiting two more bugs here and here, he was finally able to break out of the sandbox. The Dell Inspiron responded by displaying an image of a pink pony wielding a medieval axe, but it could just as easily have loaded a backdoor trojan that gave Pinkie Pie complete control over the machine.

Pinkie Pie speaks

In an e-mail that arrived after this article was published, Pinkie Pie said Google's deep-dive analysis varied widely from the way he thought about the attack when he was fashioning it.

"It's interesting to see the bugs listed this way because when writing the exploit I only counted three bugs, not six," he wrote. "117417, 117715, and 117736 are all hardening measures that enforce security boundaries that don't strictly need to exist, which I guess is a good thing."

He went on to say he wasn't sure if he could break out of Chrome's sandbox a second time.

"Finding vulnerabilities is very luck based, and a new exploit would likely use a totally different code path," he explained. "But keep in mind that to be eligible for the $60,000, I had to use only bugs in Chrome itself, not the operating system, which is a fairly severe restriction compared to a real attack."

He also noted that the successful attack of Sergey Glazunov, the other Pwnium contestant to take home a $60,000 prize, "relied on roughly 10 distinct bugs," according to the Google blog post. An upcoming post will contain the details, Google promised.

The exploit underscores the hacking truism that it can take a single teenager days to break what hundreds of highly paid professionals have spent years to build. While Pinkie Pie's journey was painstaking, he said at the time that it took him only about 10 days to plan and execute it. The episode also explains why Google to date has awarded more than $500,000 to hackers who privately report vulnerabilities in its software and services. Sometimes, the only way to erect an impenetrable castle is to occasionally watch it come crashing down.

Updated to add comments from Pinkie Pie.

Promoted Comments

The skill of this hacker boggles the mind. I have a com sci degree and most of this is still way out of my league. The complexity of this hack both demonstrates the strength of Chrome's security and reinforces the truism that no security is perfect.

How the hell does a teenager learn all this stuff? Mind you, programming is fun but hacking? Sure, the final result IS fun but wading through bits and bytes? Sheesh. I admire this story and this kid. Simply amazing.

Lots of books, lots of random tutorial PDFs translated from Russian, and most importantly, lots and lots of time in OllyDbg. Everyone I know who is like this started as a young teen and was/is obsessed with it.

And in the distant past, SoftICE, and SmartCheck. And the tuts by the masters of the dark art of reverse engineering.

I learned by breaking copy protection on games -- I really really wanted to play the games the cool kids had but I couldn't afford to buy (heart-breaking stuff, I know). You just need the motivation -- it also helps if you like solving problems, which is pretty much all programming is.

Kudos to Google for rewarding people who directly contribute to their product (and help protect Google's brand).

Since 6 bugs are needed to break out of Chrome's sandbox, isn't it unlikely that this attack would have worked in the real world?

Especially if some of the 'bugs' needed specific steps done for them to work? That said, it's good that people are pointing out these bugs to Google and getting them fixed.

Abresh, it sounds like you don't understand how this contest works. Per the rules, entrants took a fully patched machine and pointed it at a booby-trapped website. If the website was able to execute code on the computer using only code native to Chrome, the person won the $60,000 prize.

In other words, Pinkie Pie's attack *did* work in the real world. Make sense?